At the Crisis Lounge, data loss, whether it be government computer discs or carelessly mislaid laptops, is one of the hot topics.The Lizard was interested to see a new twist to the tale.
Andrew Mason from security firm Random Storm bought some network hardware from auction site eBay for 99p.
When he switched it on and plugged it in, the device automatically connected to the internal network of Kirklees Council in West Yorkshire.
Kirklees council called the discovery "concerning" (the Lizard can only imagine what was actually said in private) but said its data had not been compromised.
For under a pound Mason bought what is known as a virtual private network (VPN) server made by the firm Cisco Systems that automates all the steps needed to get remote access to a network.
Mason expected he’d have to input network settings to make the devise work. Not a bit of it – it connected up straight away.
Subsequent investigation found that the internet address to which it connected was owned by Cap Gemini – government outsource provider.
"It is like having a long ethernet cable (directly into) the Council office,” said Mason.
A connection such as this allows privileged access to networks. In the wrong hands, such as criminally minded hackers, it would allow them to conduct reconnaissance and find out if the network had any vulnerabilities worth exploiting.
Internal network access permitted credit card detail theft from retailers TK Maxx last year and Cotton Traders in June.
A spokesman for consulting firm Cap Gemini said it managed Kirklees Council's network from 2000 to the end of May 2005. At that point, he said, control was handed back to the council, which had decided to manage the network itself.
Just shows you can get anything on eBay!
No comments:
Post a Comment